Through many clients and partners, we have gotten this question: “Do you offer phishing simulations?” The answer is no, although we do understand why they’re asking. Phishing simulations have become a standard practice when it comes to cyber security training. It may seem like everyone is doing them. But should you phish your employees and set them up for failure? Or is there something else you could do instead?
What do phishing simulations do?
In and of themselves, phishing simulations don’t raise awareness. Neither does forcing those who “failed” to sit through a lecture or long videos on cyber security. Phishing simulations, however, do give companies an indication of where they’re at awareness wise. An awareness score, if you will. But it only applies to the kind of phishing that was tested in the simulation. What it doesn’t tell you is how these employees (no matter how well they did with not clicking links or opening attachments) react to other cyber threats. Would they let a person in uniform into the building without question? Do they take confidential information to their home office? Would they have clicked on the link or attachment if the email had been more in line with their interests or line of work?
The fact is that when you phish your employees with a simulation you can only test a fraction of the phishing methods that can and will eventually be used to try to scam employees. And hackers are constantly creating new ways to phish and scam. It may look good on paper to say you’ve done a phishing simulation. What it also does is set up your staff, who might resent you for it as well as any subsequent cyber security training they receive as a result. And that’s not the way to build a strong security culture within a company.
Why do you want to do a phishing simulation?
It’s understandable that you’ll want to teach your employees about phishing because that’s usually the start of serious security breaches and hacks. We want everyone to be better able to recognize phishing emails too. Opening emails and attachments has become a big part of many jobs. It’s easy to click on the wrong link or attachment as a routine. That’s where security awareness comes in.
There are many cyber security firms that offer simulated phishing tests that are designed to test the level of cyber security awareness. Others may be the experts when it comes to phishing simulations and we realize our limitations. Instead, we decided to put all our efforts into offering the most high-quality security awareness training content and make it easily available to businesses of all shapes and sizes. If our clients want to do a phishing simulation that can easily be arranged through a third party. However, we don’t think phishing simulations are always necessary. There’s also this gut feeling we have that tells us that too often they are unethical and can have adverse effects.
What to do instead of a phishing simulation
Number one, two and three, train, train and train your employees. Then train them again. The message of cyber security awareness should be kept top-of-mind all year round. If you need a benchmark to measure results or progress, there are a few things you can look at.
- After you start your selected cyber security awareness program have reports of spam, phishing or malware increased? If the answer is yes it means your staff is more aware, not that you‘re being attacked more often.
- Have your IT team look at proven hacking incidents before and after training began.
- Have your employees take a test about cyber security before training begins. Test them again in 6 months and then after a year.
- AwareGO is working on gamification that will give companies a benchmark. Security awareness training will be designed to each employee’s needs based on their success in the game. In addition to having a fun outlet to compete with your fellow employees we hope this new way will make phishing simulations a thing of the past.
Raise awareness, not hackles
There’s no use in just phishing your employees and then leaving it at that. It’s what you do next that really matters. Phishing simulations are not mandatory just because they’ve become the norm. Running a simulation also doesn’t mean that there can be no talk of security awareness beforehand. It’s always better to train employees and raise awareness. Help your employees understand why you need strong cyber security. They need to know that spam filters and firewalls are not going to protect them 100%. That they are the ultimate firewall. And it’s not just important for the company, it‘s important for them personally as well.
If you are going to run a phishing simulation do it with care and purpose. Coordinate your efforts with the phishing test by sending out a security awareness campaign, posters and emails about what you are doing and why you are doing it. In other words, help your staff instead of setting them up.
Building a strong security culture
What you really want is not just good awareness scores for your files but a strong security culture. Having a strong security culture within you company means that employees, on every level, will tap each other on the shoulder when they see behavior that doesn’t comply with the company’s security standards. They will model good behavior to their peers and go to great lengths to protect the company. And they will help each other keep the company safe.
This only works if everyone feels that they are “in this together”. That’s why messages of cyber security procedures should not come from “on-high” but rather move laterally throughout the company. It can be a job for HR, IT, a specific DPO or a CISO (or even a combined effort) but the message needs to be inclusive, simple and make sense to everyone.
Punishing people for mistakes is a surefire way to install fear. When employees live in fear, they are less likely to participate in the training and, less likely to report breaches and data leaks. They are also more likely to quit.
Cultivate a no-blame policy where employees are rewarded for good behavior and offered additional training to set them up for success if they make mistakes. Make sure everyone knows that cyber security is everyone’s business and that all will benefit from it.
With no fear and a common goal, the employee buy-in will be much higher and your company that much safer.